Bug 26409 - ruby new security issue CVE-2020-10933
Summary: ruby new security issue CVE-2020-10933
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2020-04-01 01:38 CEST by David Walser
Modified: 2020-07-07 15:48 CEST (History)
6 users (show)

See Also:
Source RPM: ruby-2.5.7-20.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2020-04-01 01:38:02 CEST
Upstream has issued an advisory today (March 31):
https://www.ruby-lang.org/en/news/2020/03/31/heap-exposure-in-socket-cve-2020-10933/

The issue is fixed upstream in 2.5.8 and 2.7.1:
https://www.ruby-lang.org/en/news/2020/03/31/ruby-2-5-8-released/
https://www.ruby-lang.org/en/news/2020/03/31/ruby-2-7-1-released/

Mageia 7 is also affected.
David Walser 2020-04-01 01:38:20 CEST

Status comment: (none) => Fixed upstream in 2.5.8 and 2.7.1
Whiteboard: (none) => MGA7TOO

Comment 1 Pascal Terjan 2020-04-04 23:19:37 CEST
ruby-2.5.8-21.mga7.src.rpm submitted to 7/core/updates_testing
Comment 3 Pascal Terjan 2020-04-05 17:12:07 CEST
Yes and with different failures on aarch64 and armv7hl, and both are different from the one I have in cauldron :(
Comment 4 Pascal Terjan 2020-04-08 14:48:21 CEST
Cauldron was updated to 2.7.1

Status comment: Fixed upstream in 2.5.8 and 2.7.1 => Fixed upstream in 2.5.8
Version: Cauldron => 7
Source RPM: ruby-2.7.0-28.mga8.src.rpm, ruby-2.5.7-20.mga7.src.rpm => ruby-2.5.7-20.mga7.src.rpm

Comment 5 David Walser 2020-05-22 20:57:50 CEST
Fedora has issued an advisory for this today (May 22):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/F4TNVTT66VPRMX5UZYSDGSVRXKKDDDU5/
Comment 6 Pascal Terjan 2020-07-05 22:35:21 CEST
 ruby-2.5.8-21.mga7 is finally available updates_testing!
Comment 7 David Walser 2020-07-05 23:02:19 CEST
Advisory:
========================

Updated ruby packages fix security vulnerability:

An issue was discovered in Ruby through 2.5.7. If a victim calls
BasicSocket#read_nonblock(requested_size, buffer, exception: false), the method
resizes the buffer to fit the requested size, but no data is copied. Thus, the
buffer string provides the previous value of the heap. This may expose possibly
sensitive data from the interpreter (CVE-2020-10933).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10933
https://www.ruby-lang.org/en/news/2020/03/31/heap-exposure-in-socket-cve-2020-10933/
https://www.ruby-lang.org/en/news/2020/03/31/ruby-2-5-8-released/
========================

Updated packages in core/updates_testing:
========================
ruby-2.5.8-21.mga7
libruby2.5-2.5.8-21.mga7
ruby-doc-2.5.8-21.mga7
ruby-devel-2.5.8-21.mga7
ruby-openssl-2.1.2-21.mga7
ruby-power_assert-1.1.1-21.mga7
ruby-irb-2.5.8-21.mga7
ruby-did_you_mean-1.2.0-21.mga7
ruby-io-console-0.4.6-21.mga7
ruby-psych-3.0.2-21.mga7
ruby-net-telnet-0.1.1-21.mga7
ruby-test-unit-3.2.7-21.mga7
ruby-xmlrpc-0.3.0-21.mga7

from ruby-2.5.8-21.mga7.src.rpm

Assignee: pterjan => qa-bugs
CC: (none) => pterjan
Whiteboard: MGA7TOO => (none)
Status comment: Fixed upstream in 2.5.8 => (none)

Comment 8 Herman Viaene 2020-07-06 14:27:38 CEST
Whatever mirror I try: pckage not found.

CC: (none) => herman.viaene

Comment 9 Herman Viaene 2020-07-06 14:30:05 CEST
Sorry, just noticed that my qarepo was pointing to version 6.
Comment 10 Len Lawrence 2020-07-06 14:43:34 CEST
mga7, x86_64
Before update this very simple client/server copied from the ruby "Pickaxe" manual runs fine:

$ rpm -q ruby
ruby-2.5.7-20.mga7

$ cat bs.rb
require 'socket'
socket = UDPSocket.new
socket.bind( "127.0.0.1", 12121 )
loop do
  msg, sender = socket.recvfrom( 100 )
  host = sender[3]
  timestamp = Time.now
  puts "#{timestamp}: #{host} '#{msg}'"
  STDOUT.flush
end

[Terminal 1]
$ ruby bs.rb

In another terminal:
$ irb
irb(main):001:0> require 'socket'
=> true
irb(main):002:0> log = UDPSocket.new
=> #<UDPSocket:fd 9, AF_INET, 0.0.0.0, 0>
irb(main):003:0> log.connect( "127.0.0.1", 12121 )
=> 0
irb(main):004:0> log.print "Up and running"
=> nil
irb(main):005:0> log.print "Done! Over and out"
=> nil
irb(main):006:0> quit

[Terminal 1]
2020-07-06 10:04:00 +0100: 127.0.0.1 'Up and running'
2020-07-06 10:04:41 +0100: 127.0.0.1 'Done! Over and out'

Somebody who knows something about the BasickSocket library could probably construct a PoC test for CVE-2020-10933.  The length of the returned buffer could be checked and if it matches the requested size the whole buffer could be compared with the message string to see if it contains odd characters beyond the end of string.  Experimented with socket.read_nonblock but do not know if the fix is applied at that point.

buffer = "rubbish ......"
flag = socket.read_nonblock( 200, buffer, exception: false )
puts flag.class, flag.to_sym
puts buffer.length
puts buffer.slice( 0..199 )

$ ruby bsx.rb
Symbol
wait_readable
200
rubbish ......�#��#��#/#�G�lB0=98�A8�A��@�9�:90�A

------------------------------------------------------------------------------
Updated all the packages.

$ ruby --version
ruby 2.5.8p224 (2020-03-31 revision 67882) [x86_64-linux]

CVE-2020-10933
$ ruby bsx.rb
Symbol
wait_readable
14
rubbish ......

This was repeatable so it looks encouraging.

Tested ruby against an array of local scripts which mainly exercize boiler-plate code, various gems and ruby-tk calls.
One makes http requests and others interact with ffmpeg, get_iplayer, mplayer and vlc, deal with astronomical calculations and print directly to a wifi printer.  No regressions encountered, yet.

$ gem list
*** LOCAL GEMS ***
astro_moon (0.2)
coderay (1.1.3)
daemons (1.3.1)
did_you_mean (1.2.0)
eventmachine (1.2.7)
ffi (1.11.3)
glib2 (3.4.1)
gtk (0.1.0)
image_processing (1.11.0, 1.10.3, 1.10.2)
json (2.1.0)
.....

$ sudo gem install nokogiri
Fetching: mini_portile2-2.4.0.gem (100%)
Successfully installed mini_portile2-2.4.0
Fetching: nokogiri-1.10.9.gem (100%)
Building native extensions.  This could take a while...
Successfully installed nokogiri-1.10.9
Parsing documentation for mini_portile2-2.4.0
Installing ri documentation for mini_portile2-2.4.0
Parsing documentation for nokogiri-1.10.9
Installing ri documentation for nokogiri-1.10.9
Done installing documentation for mini_portile2, nokogiri after 1 seconds
2 gems installed

$ irb
irb(main):001:0> Dir.chdir( Dir.home+"/ruby/scriptlets" )
=> 0
irb(main):002:0> File.readlines( "jabberwocky" ).each { |line| puts line }
Twas brillig and the slithy toves
Did gyre and and gimble in the wabe.
All mimsy were the borogoves
And the mome raths outgrabe.


=> ["Twas brillig and the slithy toves\n", "Did gyre and and gimble in the wabe.\n", "All mimsy were the borogoves\n", "And the mome raths outgrabe.\n", "\n", "\n"]
irb(main):003:0> quit

$ irb
irb(main):001:0> plink = "Just a drop in the ocean"
=> "Just a drop in the ocean"
irb(main):002:0> puts plonk
Traceback (most recent call last):
        2: from /usr/bin/irb:11:in `<main>'
        1: from (irb):2
NameError (undefined local variable or method `plonk' for main:Object)
Did you mean?  plink

$ urpmq --whatrequires lib64ruby2.5 | sort -u | wc -l
70
$ strace -o paddb.trace ruby ~/bin/padlab
$ grep ruby paddb.trace | grep lib
.....
openat(AT_FDCWD, "/usr/lib64/ruby/enc/windows_1257.so", O_RDONLY|O_CLOEXEC) = 10
openat(AT_FDCWD, "/usr/lib64/ruby/enc/shift_jis.so", O_RDONLY|O_NONBLOCK|O_CLOEXEC) = 10
openat(AT_FDCWD, "/usr/lib64/ruby/enc/shift_jis.so", O_RDONLY|O_CLOEXEC) = 10
openat(AT_FDCWD, "/usr/lib64/ruby/enc/gbk.so", O_RDONLY|O_NONBLOCK|O_CLOEXEC) = 10
openat(AT_FDCWD, "/usr/lib64/ruby/enc/gbk.so", O_RDONLY|O_CLOEXEC) = 10
openat(AT_FDCWD, "/usr/lib64/gems/ruby/tk-0.2.0/tkutil.so", O_RDONLY|O_NONBLOCK|O_CLOEXEC) = 10
.....

$ strace -o calco.trace ~/bin/calco
$ grep lib calco.trace | grep -v "(No such" | grep -v tk > libs
$ less libs
openat(AT_FDCWD, "/lib64/libruby.so.2.5", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib64/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib64/libpthread.so.0", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib64/libdl.so.2", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib64/libcrypt.so.1", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib64/libm.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3, "          /usr/lib64/libm-2.29.s"..., 1024) = 1024
.....

vim is listed, so...
$ strace -o vim.trace vim weather
$ cat vim.trace | grep lib | grep ruby | grep -v "No such"
openat(AT_FDCWD, "/lib64/libruby.so.2.5", O_RDONLY|O_CLOEXEC) = 3

Enough already.

CC: (none) => tarazed25
Whiteboard: (none) => MGA7-64-OK

Comment 11 Len Lawrence 2020-07-06 14:46:17 CEST
@Herman: comment 8.
Sorry, this was just on its way.
Comment 12 Herman Viaene 2020-07-06 14:53:11 CEST
Great, saved me some headache how to test this!!!
Comment 13 Thomas Andrews 2020-07-07 12:44:40 CEST
Great work,guys! Validating. Advisory in Comment 7.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Nicolas Lécureuil 2020-07-07 15:15:21 CEST

Keywords: (none) => advisory
CC: (none) => mageia

Comment 14 Mageia Robot 2020-07-07 15:48:43 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0285.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.